Socket discovered nine malicious NuGet packages published under the alias shanhai666 that inject time-delayed destructive payloads into database operations and target industrial PLCs, causing probabilistic process termination and silent write failures. The most dangerous package, Sharp7Extend, bundles legitimate Sharp7 code while implementing immediate random process kills and time-delayed 80% write failures against PLC operations, affecting safety-critical manufacturing systems. #Sharp7Extend #shanhai666
Keypoints
- Nine NuGet packages (published 2023–2024 by alias shanhai666) contain ~20-line malicious payloads hidden in thousands of lines of legitimate code and accumulated 9,488 downloads.
- Malicious code uses C# extension methods to intercept database and PLC operations, executing a time-based, probabilistic Process.GetCurrentProcess().Kill() (20% chance) on each operation after or before trigger dates.
- Database packages trigger after specific dates (one SQL Server on 2027-08-08; PostgreSQL, SQLite, and variant SQL Server on 2028-11-29); Sharp7Extend activates immediately until 2028-06-06 for process kills and uses a 30–90 minute grace period before enabling 80% silent PLC write failures.
- Sharp7Extend typosquats the legitimate Sharp7 library, bundles the unmodified Sharp7 1.1.79 code to appear fully functional, and thereby evades detection during testing and review.
- The dual sabotage in Sharp7Extend (random crashes + delayed silent write corruption) creates intermittent failures that mimic hardware/network faults, greatly complicating incident response and attribution.
- Threat actor employed evasion techniques: mix of legitimate and malicious packages, inconsistent author metadata, forged/malformed signature files, Chinese-language artifacts, and typosquatting to increase accidental installs.
- Socket reported the packages to NuGet on 2025-11-05; NuGet is investigating but packages remained live at publication; immediate auditing and removal of these dependencies is recommended for affected organizations.
MITRE Techniques
- [T1195.002] Compromise Software Supply Chain – Malicious NuGet packages published under alias shanhai666 inject destructive payloads into dependencies and repository code, “‘published under the NuGet alias shanhai666 between 2023 and 2024′”.
- [T1036.005] Masquerading: Match Legitimate Name or Location – Typosquatting Sharp7 by naming the malicious package Sharp7Extend and bundling the legitimate Sharp7 library to appear authentic, “‘by appending “Extend” to the trusted Sharp7 name’”.
- [T1489] Service Stop – Probabilistic calls to Process.GetCurrentProcess().Kill() terminate applications on database and PLC operations, “‘Process currentProcess = Process.GetCurrentProcess(); currentProcess.Kill();’”.
- [T1565.001] Data Manipulation: Stored Data Manipulation – Sharp7Extend silently returns failures for PLC write operations (80% failure rate after grace period), causing write operations to appear successful while not updating PLCs, “‘return 0; // 80% failure rate – silent operation failure’”.
Indicators of Compromise
- [NuGet packages] malicious package names and alias – examples include Sharp7Extend, DbRepository.dll (SQL Server variant), PGSqlRepository.dll (PostgreSQL), SqlLiteRepository.dll (SQLite); and six other malicious packages (total nine malicious packages).
<li[NuGet alias] publisher alias – shanhai666 (packages published under this alias across 2023–2024).
<li[Downloads] adoption metric – combined 9,488 downloads for the nine malicious packages.
<li[Signature file] malformed signature artifacts – .signature.p7s with malformed PKCS7 structure and embedded “shanhai666” string (OpenSSL parsing errors reported).
<li[Code artifacts] Chinese-language strings in DLLs – examples: “出现异常” (exception occurred), “数据请求地址不正确” (data request address incorrect), “连接失败” (connection failed).
Read more: https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads